A critical bug found in Slack could allow an attacker access to users’ private channels and conversations. Threatpost broke down the details of the flaw in the popular messaging and collaboration app.
To exploit the bug, attackers would need to upload a file to their own HTTPS-enabled server with a payload; then, they could prepare a Slack post with an HTML injection containing the attack URL pointing to that payload (hidden in an image). After that, they need only to share that post with a public Slack channel or user. If a user clicks on the booby-trapped image, the code will be executed on the victim’s machine. As for accomplishing the HTML injection, the issue lies in the way Slack posts are created, according to the researcher. “[Creating a post] creates a new file on https://files.slack.com with [a specific] JSON structure,” according to the writeup. “It’s possible to directly edit this JSON structure, which can contain arbitrary HTML.”
Check It Out: Researchers Find Critical Slack Bug